Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Malicious agent input can be delivered remotely (AV:N) and the bypass is deterministic (AC:L, PR:N, UI:N); escaping the sandbox to compromise the host is a scope change (S:C) with full C/I/A loss.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Cursor is a code editor built for programming with AI. Prior to 3.0, Cursor runs agent terminal commands in a sandbox by default. Before a Write, the agent canonicalizes the target path to confirm it stays inside the workspace, but when canonicalization fails it falls back to the original path and writes without approval. A malicious agent can create an in-workspace symlink that points outside the workspace and force canonicalization to fail - either because the target does not exist or because read permission is removed from the path - so the agent writes through the symlink to an arbitrary location without approval. A malicious agent could write arbitrary files outside the workspace under the user's privileges. This enables non-sandboxed Remote Code Execution - for example by overwriting the cursorsandbox helper so later commands run unsandboxed - with no user interaction beyond a benign prompt. This vulnerability is fixed in 3.0.
AnalysisAI
Sandbox escape leading to non-sandboxed remote code execution in Cursor (the AI code editor) prior to version 3.0, where a malicious agent can write files outside the protected workspace. Cursor canonicalizes a Write target to confirm it stays in-workspace, but when canonicalization fails it insecurely falls back to the raw path and writes without approval; an agent can deliberately force this failure via an in-workspace symlink pointing outside the workspace (target missing or read permission stripped) to write arbitrary files under the user's privileges. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires Cursor prior to 3.0 running its default agent terminal sandbox, and requires the AI agent to be influenced to act maliciously (e.g., via prompt injection in repository/content the agent processes) - the description's 'malicious agent' is the core prerequisite. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent on high severity: the vendor CVSS 4.0 base score is 9.3 with vector AV:N/AC:L/AT:N/PR:N/UI:N and high confidentiality, integrity, and availability impact, reflecting a reliable, low-complexity bypass that needs no special attack requirements. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A developer asks Cursor's agent to work on a repository that contains attacker-planted prompt-injection content; acting on it, the agent creates an in-workspace symlink pointing outside the workspace and ensures canonicalization fails (target absent or read permission removed). The agent then issues a Write through the symlink - bypassing approval - to overwrite the cursorsandbox helper, so the next agent terminal command executes unsandboxed on the host under the user's privileges. … |
| Remediation | Upgrade to Cursor 3.0 or later, which fixes the canonicalization fail-open behavior - this is the primary and vendor-confirmed remediation (Vendor-released patch: 3.0), documented in advisory GHSA-3v8f-48vw-3mjx (https://github.com/cursor/cursor/security/advisories/GHSA-3v8f-48vw-3mjx). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Cursor deployments and identify vulnerable versions (prior to 3.0); brief development leadership and security team on the RCE risk. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Cursor AI code editor before 2.3 allows prompt injection to bypass the Agent's Allowlist mode. Shell built-ins can execu
Sandbox escape leading to non-sandboxed remote code execution affects the Cursor AI code editor prior to version 3.0, wh
Cursor is a code editor built for programming with AI. In versions 1.7 and below, automatic loading of project-specific
Cursor is a code editor built for programming with AI. In versions 1.7 and below, when MCP uses OAuth authentication wit
Cursor is a code editor built for programming with AI. versions up to 2.0 is affected by os command injection.
Unauthorized hook command execution in Cursor Desktop versions prior to 3.0.0 allows a malicious workspace to silently r
Cursor is a code editor built for programming with AI. Versions 1.6.23 and below contain case-sensitive checks in the wa
Cursor versions before 2.5 allow sandbox escape through improper .git configuration file protections, enabling malicious
Server-side request forgery leading to code execution in Cursor's browser-enabled Cloud Agent lets attacker-controlled w
Cursor is a code editor built for programming with AI. Versions 1.6 and below are vulnerable to Remote Code Execution (R
Cursor is a code editor built for programming with AI. In versions 1.7 and below, a vulnerability in the way Cursor CLI
Cursor is a code editor built for programming with AI. In versions 1.6 and below, Mermaid (a to render diagrams) allows
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39536